Relabel filesystem if SELinux is available
Relabel the filesystem during image builds if SELinux is supported in the kernel of the build machine and userspace tools are available. Otherwise touch /.autorelabel to schedule a relabel the first time the image boots. We relabel when possible because it decreases first boot time. Change-Id: I0bec885d6e5d4f4e1106f3bd2a90ba5f86395b07 Partial-Bug: 1347845
This commit is contained in:
parent
fc5e791a6b
commit
e92398a318
@ -3,16 +3,14 @@
|
|||||||
set -eux
|
set -eux
|
||||||
set -o pipefail
|
set -o pipefail
|
||||||
|
|
||||||
CONFIGURED_SELINUX=$(grep ^SELINUX= /etc/selinux/config | awk -F = '{print $2}')
|
if [ -d /sys/fs/selinux -a /etc/selinux/targeted/contexts/files/file_context\
|
||||||
|
s -a -x /usr/sbin/setfiles ]; then
|
||||||
if [ "$CONFIGURED_SELINUX" == "enforcing" ]; then
|
|
||||||
# Without fixing selinux file labels, sshd will run in the kernel_t domain
|
# Without fixing selinux file labels, sshd will run in the kernel_t domain
|
||||||
# instead of the sshd_t domain, making ssh connections fail with
|
# instead of the sshd_t domain, making ssh connections fail with
|
||||||
# "Unable to get valid context for <user>" error message
|
# "Unable to get valid context for <user>" error message
|
||||||
setfiles /etc/selinux/targeted/contexts/files/file_contexts /
|
setfiles /etc/selinux/targeted/contexts/files/file_contexts /
|
||||||
else
|
else
|
||||||
echo "Skipping SELinux relabel, since it is not Enforcing."
|
echo "Skipping SELinux relabel, since setfiles is not available."
|
||||||
echo "To relabel once the image is running, use:"
|
echo "Touching /.autorelabel to schedule a relabel when the image boots."
|
||||||
echo "setfiles /etc/selinux/targeted/contexts/files/file_contexts /"
|
touch /.autorelabel
|
||||||
echo "fixfiles restore"
|
|
||||||
fi
|
fi
|
||||||
|
Loading…
Reference in New Issue
Block a user